Politics The cybersecurity hole in Biden’s infrastructure plan
Biden to propose $1.8 trillion 'families plan' with paid leave, child care, universal pre-K, free community college
The plan is the second piece of Biden's 'Build Back Better' economic agenda following the release of a $2.3 trillion infrastructure and jobs plan.Biden is set to formally introduce his American Families Plan at his first address before a joint session of Congress Wednesday night. It's the second piece of his "Build Back Better" economic agenda following the release of a $2.3 trillion infrastructure and jobs plan released earlier this month.
President Joe Biden wants to pour trillions of dollars into upgrading America’s roads, ports and schools, but his infrastructure plan has a missing piece: protecting the technology in those shiny new projects from a growing legion of hackers.
Modernized ports will be full of internet-connected machinery, new roads will be built with smart technology to communicate with autonomous cars, and power and water facilities already full of networked equipment will be rebuilt and expanded. All of those projects will create new risks of cyberattacks that can destabilize American life.
Biden takes quick action on cyber in first 100 days
President Biden and his administration hit the ground running on securing federal networks and critical infrastructure during his first 100 days in office, taking quick action after years of what some officials viewed as national security setbacks in U.S. cyber policy.Those actions were fast tracked in large part by a series of massive cyber intrusions into federal and private networks by foreign hackers. Biden came under pressure pretty much from Day One to take a stand against adversaries and revitalize national cyber efforts through levying sanctions and issuing executive orders.
“Designing and building security into any complex infrastructure with digital components in the beginning is far more effective than trying to ‘bolt’ it on after the fact,” said Grant Schneider, who served as the federal chief information security officer and as a National Security Council senior director for cyber policy from 2017 to 2020. “Getting security right from the start is even more important with infrastructure systems that will be in place for years and possibly decades to come.”
Biden’s $2 trillion-plus American Jobs Plan does not mention the need to protect new and upgraded infrastructure from hackers or propose any funding for this task, but experts and former government officials told POLITICO that it was critical that the final bill include significant cybersecurity spending.
Why President Joe Biden's speech to Congress was unlike any other in modern history
A joint sessions speech, known for its glad-handing cadence, was bound to be subdued with only 200 folks permitted at an event that can hold 1,500.President Joe Biden's address to a joint session of Congress was unlike any in modern history due to the COVID-19 pandemic. With no more than 200 folks permitted for an event that can hold up to 1,500, an event known for its glad-handing cadence and rousing moments was destined to be subdued.
“Any investment project that does not take cybersecurity into account is setting itself up for higher risk and a far greater chance of failure,” said Brian Harrell, who led CISA’s Infrastructure Security Division from 2018 to 2020.
The stakes of not protecting this new infrastructure are rising every day. Russian hackers have repeatedly taken down parts of Ukraine’s power grid and could try to mount similar attacks in the United States. Beijing’s tight control over Chinese companies could turn Chinese-made equipment into avenues for spying or sabotage. And terrorists or criminals could exploit bugs in smart cars to sow chaos on America’s roads.
Some members of Congress recognize that the implications are serious.
“Building our infrastructure safely and securely on the front end will keep our families and communities safer in the short-term, and will cost less over the long-term,” said Rep. Yvette Clarke (D-N.Y.), who chairs the House Homeland Security Cybersecurity Subcommittee.
How Joe Biden's speech to Congress differs from past presidential addresses
Things will look a lot different during the annual presidential address, from COVID-19 guidelines to history being made behind the podium.The address, which technically is not called the State of the Union, will be the first time a U.S. president speaks to both houses of Congress since the beginning of the COVID-19 pandemic, as former President Donald Trump delivered his last State of the Union on Feb. 4, 2020.
A White House spokesperson told POLITICO that the Biden administration would “integrate cyber with the design and implementation of the [American Jobs Plan] with investments in cybersecurity for the electric grid and other infrastructure.”
Blinking lights and drinking lye
for upgrading the United States’ power and water infrastructure. These systems’ paramount importance to daily life also makes them top targets for hackers and top priorities for security funding.
The energy sector has made significant strides on cybersecurity in recent years, and Biden’s Energy Department. But in part because of cities’ limits on how much utilities can charge for electricity, many small energy companies can’t afford to invest in cybersecurity. “Special attention is going to need to be [paid] there,” Schneider said.
Aging water treatment plants and wastewater facilities face similar constraints. Many plant operators “are not steeped in security, don't have the funding, [and] don't have the staff” to address cyber threats, said Dave Weinstein, a former CISO for the state of New Jersey.
Any reduction in Energy Department's cybersecurity resources a mistake
DOE is a federal agency with one of the most effective cybersecurity programs, but there is more to be done.The letter reflects the senators' concerns that the Biden administration is considering downgrading the CESER billet from the assistant secretary level to make space for new assistant secretary assignments for justice and jobs. Coming on the heels of a Government Accountability Office (GAO) report highlighting the Department of Energy's (DOE) unfinished work to secure the nation's electric grid and supply chains, Secretary Granholm would be making a mistake if she were to reduce the seniority of cybersecurity leadership at the department.
The water sector’s vulnerability shot into the headlines in early February after, and almost poisoned the city’s water supply after briefly increasing the amount of lye in the system. Only a diligent supervisor’s quick action prevented catastrophe.
Planes, trains and automobiles
The mascot of the nation’s outdated infrastructure is its decrepit transportation system, with its crumbling roads and collapsing bridges. Physical repairs to this infrastructure will be one of the most visible effects of Biden’s plan if it becomes law, but as more roads and bridges incorporate smart technology to support modern vehicles, the security risks will grow.
A road embedded with digital sensors meant to keep cars in their lanes, for example, could instead be hacked to confuse those cars and send them crashing into each other.
Transportation is one area where the federal government may need to consider new cybersecurity regulations, Schneider said, because “a lot of people still don't think about cyber the same way they think about life safety” in that sector.
These concerns also extend to airports and maritime transportation facilities.
When Russian hackers launched the global NotPetya malware outbreak in June 2017,. As the malware knocked port computers offline around the world, cargo trucks backed up outside closed port gates, and ships lingered offshore, unable to receive automated offloading instructions. Computer code had partially crippled global trade.
Joe Manchin urges Biden to focus on 'conventional' infrastructure
Sen. Joe Manchin of West Virginia, an influential Democrat, called for focusing on 'conventional' infrastructure and suggested splitting off parts of Joe Biden's $2.3 trillion plan.‘What we think the greatest need we have now, that can be done in a bipartisan way, is conventional infrastructure whether it's the water, sewer, roads, bridges, Internet — things that we know need to be repaired, be fixed,’ the influential West Virginia Democrat said at a press conference Friday.
Ports are complex environments full of ships, containers and equipment owned and operated by multiple companies. Many port facilities are owned by small businesses or foreign companies that are either ineligible for or unaware of the cybersecurity funds that flow more widely to other sectors such as electricity, said Sean Plankey, a retired Coast Guard officer and former No. 2 official in the Energy Department’s cyber office.
Policymakers worry about the market dominance of Chinese and other adversary-linked companies in the transportation sector. In late 2019, after the Washington, D.C., area’s transit system considered buying new railcars from a Chinese firm that already supplies other major U.S. cities,.
“Countries such as China might seek to use smart, connected infrastructure as a platform for espionage, or even as the target for destructive cyber attacks against the United States,” said Harrell.
Experts are also urging policymakers to mandate strong cybersecurity protections alongside Biden’s $174 billion investment in modern vehicles. “As autonomous vehicles come into play, future technologies are all going to have to integrate with the infrastructure that's going to be built right now,” Schneider said.
Can’t just throw money at the problem
The biggest challenge for integrating cybersecurity into new infrastructure is that many industries lack clear guidance about what security products and services to buy.
Susan Wright, congressman's widow, makes US House runoff in Texas
Rep. Ron Wright died just weeks into office after a COVID diagnosis. His widow, endorsed by Donald Trump, is now in a runoff for his seat.But who she will face remained too early to call. With nearly all votes counted, Republican Jake Ellzey led Democrat Jana Lynne Sanchez by 354 votes in the race for the second runoff spot in Texas' 6th Congressional District, which has long been GOP territory.
Federal guidelines for these sectors are sparse, and typically only large companies employ cybersecurity experts who can walk them through the financial and technological choices they’ll need to make.
“If we were just to put a line in the bill that said, ‘Thou shalt not get money unless it's secure,’ I'd have to look in the mirror and say, ‘I'm not sure we have a great answer for what ‘secure’ is,’” said Matt Hayden, a former assistant secretary of Homeland Security for cyber and infrastructure policy.
He suggested that the government spend a month consulting with vendors and infrastructure operators, developing clear security standards and compiling lists of recommended products for meeting them.
Biden’s plan would give NIST $14 billion — 14 times its annual budget — to “bring together industry, academia, and government to advance technologies and capabilities critical to future competitiveness,”. NIST could use some of that money to of six-year-old .
“NIST does great with due diligence and peer reviews, [but] it's just a process that doesn't speed up well,” Hayden said. With enough money and the ability to prioritize its projects, however, NIST could truly commit to industry-focused guidance.
CISA, with its history of assisting infrastructure operators, could also be “helpful in identifying criteria” for smart cyber spending, said Megan Stifel, who served on the NSC’s cyber staff from 2013 to 2014.
How a rail revolution could look under Biden’s infrastructure push .
What Joe Biden's massive infrastructure push could mean for rail in the U.S. The president famously commuted daily from Wilmington, Delaware, to Washington, D.C., during his time as a senator, logging millions of miles riding the rails and earning the nickname “Amtrak Joe.